LiveActive security incident?Get immediate response
CVE Record

CVE-2026-42581: Netty: HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

HighCVSS 7.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Netty, a widely used Java networking framework, has a flaw that lets attackers confuse how web requests are interpreted between systems. Because Netty and downstream proxies can disagree on where one request ends and another begins, attackers may sneak hidden requests through, potentially bypassing security controls or reaching internal endpoints. Upgrading to a patched Netty version resolves the issue.

Executive priority

Treat as a near-term patching priority for internet-facing Java services and API gateways. Business impact is elevated because request smuggling can undermine authentication, WAF rules, and audit trails, but no active exploitation is reported. Schedule remediation within your standard high-severity SLA and prioritize systems that terminate HTTP behind or in front of proxies.

Technical view

In Netty HttpObjectDecoder before 4.2.13.Final and 4.1.133.Final, the sanitization that strips a conflicting Content-Length when Transfer-Encoding: chunked is present only fires for HTTP/1.1. HTTP/1.0 requests bypass this guard, so Netty decodes the body as chunked while the HttpMessage still carries the original Content-Length. Downstream proxies or handlers that prefer Content-Length desynchronize on message boundaries, enabling HTTP request smuggling (CWE-444).

Likely exposure

Any Java service, gateway, or middleware using vulnerable Netty (4.2.0.Alpha1 through 4.2.12, or 4.1.x before 4.1.133.Final) to terminate HTTP is potentially exposed, especially when fronted by or fronting another HTTP intermediary. Red Hat has shipped errata affecting multiple JBoss/Middleware and OpenShift components, indicating broad downstream reach.

Exploitation context

No public reports of active exploitation and not listed in CISA KEV as of the source bundle. The GitHub Security Advisory (GHSA-xxqh-mfjm-7mv9) and Red Hat advisories describe the smuggling primitive but do not cite in-the-wild abuse. CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network-reachable, unauthenticated preconditions with scope change.

Researcher notes

Root cause is a version-gated sanitization branch in HttpObjectDecoder that only strips conflicting Content-Length for HTTP/1.1. HTTP/1.0 flows retain both CL and TE in the emitted HttpMessage, producing classic TE.CL or CL.TE desync depending on the peer. Interesting angle: many modern intermediaries silently upgrade or downgrade to HTTP/1.0 for legacy compatibility, expanding attack surface. Review shaded/relocated Netty JARs, since SCA often misses them. CVSS scope change reflects downstream impact on the fronting proxy.

Mitigation direction

  • Upgrade Netty to 4.2.13.Final or 4.1.133.Final (or later) across all services and shaded dependencies.
  • Apply the relevant Red Hat RHSA errata (e.g., RHSA-2026:28010, 25123, 36820, 37390, 23808, 24502) to affected products.
  • Inventory transitive Netty usage via SBOM and dependency scanners; rebuild containers and redeploy.
  • Where patching is delayed, restrict or reject HTTP/1.0 requests carrying both Content-Length and Transfer-Encoding at the edge.
  • Confirm upstream proxies normalize or reject ambiguous framing headers per RFC 9112.
  • Monitor vendor guidance for embedded appliances and SaaS platforms that ship Netty.

Validation and detection

  • Enumerate Netty versions across build artifacts, containers, and runtime classpaths using SBOM/SCA tooling.
  • Verify fixed versions (4.2.13.Final / 4.1.133.Final) are loaded at runtime, not just declared in manifests.
  • Review edge and internal proxies for HTTP/1.0 handling and header precedence between CL and TE.
  • Test in a controlled lab: send benign HTTP/1.0 requests with both headers and confirm consistent framing decisions.
  • Check Red Hat CSAF VEX data and RHBZ#2477232 for product-specific applicability.
  • Track vendor advisories for downstream frameworks (Spring, Vert.x, gRPC-Java, Elasticsearch clients) that embed Netty.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-444: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-42581 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.2 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.2CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N3.92.7redhat-SADP
5.8CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N3.91.4GitHub_M

Vulnerability scoring details

Base CVSS 3.1 score

7.2High
CVSS 3.1 vector shape for CVE-2026-42581Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPnetty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers
other:Red Hat severity ratingcvssV3_1
  • 2026-05-13T19:02:26.404Z: Reported to Red Hat.
  • 2026-05-13T17:54:44.492Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
nettynetty>= 4.2.0.Alpha1, < 4.2.13.Final, < 4.1.133.FinalListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-444 · source CWE mapping

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.